Analysis
-
max time kernel
600s -
max time network
583s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-11-2020 13:56
Static task
static1
General
-
Target
isb777amx.bin.exe
-
Size
728KB
-
MD5
5082932c741a5ff379de1c3f2edf1321
-
SHA1
a5a5f96142c6b7ca25fc451a45e9964ff4f6cd89
-
SHA256
111b63f31d1e6855b0bc722107ac4f5668a7f115fd45654625eb41a6160828c6
-
SHA512
c5470d084ba78aab5464cb2f48eb97fa2f19633834cf6cdfe2f272ae1ab7c639c2176db493511f76cb0ffa58f1b39e9bcbdeec6bc20219cfc3891c395f7a7f4e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 744 GetX64BTIT.exe -
Loads dropped DLL 1 IoCs
Processes:
isb777amx.bin.exepid process 2036 isb777amx.bin.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 10905 IoCs
Processes:
isb777amx.bin.exepid process 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe 2036 isb777amx.bin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
isb777amx.bin.exepid process 2036 isb777amx.bin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
isb777amx.bin.exedescription pid process target process PID 2036 wrote to memory of 744 2036 isb777amx.bin.exe GetX64BTIT.exe PID 2036 wrote to memory of 744 2036 isb777amx.bin.exe GetX64BTIT.exe PID 2036 wrote to memory of 744 2036 isb777amx.bin.exe GetX64BTIT.exe PID 2036 wrote to memory of 744 2036 isb777amx.bin.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe"C:\Users\Admin\AppData\Local\Temp\isb777amx.bin.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"2⤵
- Executes dropped EXE
PID:744
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
fa457f4883c7ffefd87bddc9d234e5af
SHA1ff0695b7d525a42ad5fd1c8d0d696fb4e91c3687
SHA256debb2cad280f05addfa4e55a5e7c9ff94856909ccad093594e121d80c128fa31
SHA512fd249acab9c67fc4d564c74460b1e895ba052bbb6edbb372142157d8230c763942d403278ea05714fca35bfebe25b5f952cd5a965305c6073441d76243e4861a
-
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
memory/744-3-0x0000000000000000-mapping.dmp
-
memory/2036-0-0x000000000705D000-0x000000000705E000-memory.dmpFilesize
4KB
-
memory/2036-1-0x0000000008860000-0x0000000008871000-memory.dmpFilesize
68KB
-
memory/2036-6-0x0000000007020000-0x000000000703E000-memory.dmpFilesize
120KB
-
memory/2036-7-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB